(x) $_SERVER["PHP_SELF"]
(o) htmlspecialchars($_SERVER["PHP_SELF"])
출처
http://www.w3schools.com/php/php_form_validation.asp
$_SERVER["PHP_SELF"] exploits can be avoided by using the htmlspecialchars() function.
The form code should look like this:
<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">
The htmlspecialchars() function converts special characters to HTML entities. Now if the user tries to exploit the PHP_SELF variable, it will result in the following output:
<form method="post" action="test_form.php/"><script>alert('hacked')</script>">
The exploit attempt fails, and no harm is done!
댓글